Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: [BUG] Zsh crashes when using autocomplete because of memory unsafety (double free)

X-seq: zsh-workers 46180
From: Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>
To: "zsh-workers@xxxxxxx" <zsh-workers@xxxxxxx>
Subject: Re: [BUG] Zsh crashes when using autocomplete because of memory unsafety (double free)
Date: Sat, 4 Jul 2020 13:20:26 -0700
In-reply-to: <CAH+w=7aT+Lf1j5RkdtB5sMdg5QATReh16uTPMg31Bt+z-yxjZQ@mail.gmail.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <00cb28e8-004e-2c8c-e02d-6063f4079c1d@soptik.tech> <20200626162405.4a7d28c1@tarpaulin.shahaf.local2> <CAH+w=7YVxqB5-TSO8QNvJajjv_MxnmWijd9PX=wkzXNu-GKGmg@mail.gmail.com> <CAH+w=7ZG2Gg1eby+qU62iLrB5cvshhqokvPCd9cKFdmJ4u_GzA@mail.gmail.com> <CAH+w=7a=fX_Onyt=yie=+J_xGEdB+crs6DU9tgCQfqZ9HTGUJQ@mail.gmail.com> <CAH+w=7aT+Lf1j5RkdtB5sMdg5QATReh16uTPMg31Bt+z-yxjZQ@mail.gmail.com>
Sender: zsh-workers@xxxxxxx

On Sun, Jun 28, 2020 at 8:48 PM Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx> wrote:
>
> So the patch is sort of on the right track, but still not the whole
> story.  Turning this back over to others, I probably won't have a
> chance to look at it again for a few days.

Spent a little while on this today.

This seems to be related to get_comp_string() and the way completion
really wants to remove quotation marks.  E.g.:

% alias a='echo z'<TAB>
% alias a=echo\ zsh

When doing complete-in-word after an open-quote AND there are other
characters on the line that have to be backslash-escaped in order to
remove the quotes, the process of updating the line becomes confused.
For example, starting from:

% alias a="echo foo bar

Complete-in-word after "echo" crashes, and after "foo" produces the
"expect x at offset" debugging message.

It does seem to require the collusion of "compset -q" to actually
crash it.  The recalculation of where words begin and end leads to
mis-indexing.

Again this is as far as I've gotten.  If anyone else wants to have a
go, by all means.

References:
- [BUG] Zsh crashes when using autocomplete because of memory unsafety (double free)
  - From: Petr Šťastný
- Re: [BUG] Zsh crashes when using autocomplete because of memory unsafety (double free)
  - From: Daniel Shahaf
- Re: [BUG] Zsh crashes when using autocomplete because of memory unsafety (double free)
  - From: Bart Schaefer
- Re: [BUG] Zsh crashes when using autocomplete because of memory unsafety (double free)
  - From: Bart Schaefer
- Re: [BUG] Zsh crashes when using autocomplete because of memory unsafety (double free)
  - From: Bart Schaefer
- Re: [BUG] Zsh crashes when using autocomplete because of memory unsafety (double free)
  - From: Bart Schaefer

Messages sorted by: Reverse Date, Date, Thread, Author